Professional Documents
Culture Documents
C o m m i t t e e o f S p o n s o r i n g O r g a n i z a t i o n s o f t h e T r e a d w a y C o m m i s s i o n
September 2012
To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by
November 16, 2012.
Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.
Draft for Discussion
©2012 All Rights Reserved. No part of this publication may be reproduced, redistributed, transmitted or displayed in any form or by any
means without written permission. For information regarding licensing and reprint permissions please contact the American Institute of
Certified Public Accountants, licensing and permissions agent for COSO copyrighted materials. Direct all inquiries to copyright@aicpa.
org or to AICPA, Attn: Manager, Rights and Permissions, 220 Leigh Farm Rd., Durham, NC 27707. Telephone inquiries may be directed
to 888-777-7707.
Inter n al Co n t ro l — I n te g rate d F ra mewo rk
To submit comments on this Public Exposure Draft, please visit the www.ic.coso.org website. Responses are due by
November 16, 2012.
Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.
Committee of Sponsoring Organizations of
the Treadway Commission
Principal Contributors
Members at Large
Foreword............................................................................................................i
1. Introduction............................................................................................... 1
2. Control Environment................................................................................11
3. Risk Assessment.................................................................................... 45
4. Control Activities......................................................................................73
6. Monitoring Activities..............................................................................131
Appendix
2 The Framework retains the core definition of internal control and the five components of
internal control. At the same time, the Framework includes enhancements and clari-
fications that are intended to ease use and application. One of the more significant
enhancements is the formalization of fundamental concepts introduced in the original
framework as principles. These principles associated with the five components provide
clarity for users in designing and implementing systems of internal control. In turn, this
3 In the twenty years since the release of the original framework, business and operating
environments have changed dramatically, becoming increasingly complex, technologi-
cally driven, and global. At the same time, stakeholders have become more engaged,
seeking greater transparency and accountability for the integrity of systems of inter-
nal control that support business decisions and governance of the organization. The
Framework and the Compendium incorporate many of these changes including:
•• Use of, and Reliance on, Evolving Technologies—An increasingly mobile and
interconnected world has made technology more essential for many organizations
to improve performance, business processes, and decision making. Entities are
investing in emerging technologies, such as cloud computing, mobile devices,
and social media, and using enterprise resource planning (ERP) and other tech-
nologies to standardize, automate, and streamline business processes.
5 The Compendium illustrates how entities can apply the Framework to design, imple-
ment, and conduct internal control over external financial reporting. It neither replaces
nor modifies the Framework; rather, it is a supplemental document that can be
used in concert with the Framework when considering internal control over external
financial reporting.
6 Finally, the COSO Board would like to thank PwC and the Advisory Council for their
contributions in developing the Compendium. Their full consideration of input provided
by many stakeholders and their attention to detail were instrumental in ensuring that the
Compendium will be helpful to a variety of organizations in applying the Framework to
internal control over external financial reporting.
1. Introduction
7 COSO’s Internal Control—Integrated Framework (Framework) sets forth three catego-
ries of objectives: operations, reporting, and compliance. The focus of this publication,
Internal Control over External Financial Reporting: A Compendium of Approaches and
Examples (Compendium) is the external financial reporting category of objectives, a
subset of the reporting category. External financial reporting objectives address the
preparation of financial reports for external parties, including:
•• Other external financial reporting derived from an entity’s financial and accounting
books and records.
•• Private Entities—Entities whose ownership may be closely held may prepare finan-
cial statements to provide to banks and other third parties in order to raise capital
or to meet contractual obligations. These can be in accordance with standards
and regulations, however often, there is no requirement for private entities to
prepare the financial statements in accordance with specific standards or regula-
tions; the form of the financial statements or other external financial reporting is
stipulated by contractual obligations or a third party.
9 In applying the Framework, users will find relevant approaches and examples in the
Compendium of how organizations apply various aspects of the principles in the design,
implementation and conduct of internal control over external financial reporting objec-
tives. These approaches and examples relate to each of the five components and sev-
enteen principles set forth in the Framework.
10 The Compendium includes an appendix that highlights those examples that relate to the
changes in business and operating environments that are noted in the Framework.
11 Note that this document is not designed to be read from beginning to end. Nor are the
approaches and examples linked across the principles; rather, they stand on their own
and relate to specific points of focus of the principles. Finally, even though the defini-
tions, components, principles, and points of focus are consistent with those found in the
Framework, readers should refer to the Framework for a comprehensive discussion of
how entities design, implement, and conduct internal control, and for the requirements
of an effective system of internal control.
15 Another form of financial statements prepared for external purposes may be financial
reports prepared in accordance with other comprehensive basis of accounting, such as
those by taxing authorities, regulatory agencies, or requirements established through
contracts and agreements. These financial reports are typically distributed to specified
external users (e.g., reporting to a bank on financial covenants established in a loan
agreement, to a taxing authority in connection with filing tax returns, reporting on finan-
cial information to an energy regulatory commission)).
Considers Materiality
21 Financial statement materiality sets the threshold for determining whether a financial
amount is relevant. Entities must consider suitable regulations and guidance promul-
gated by standard-setters and regulators.1
•• Rights and Obligations—Assets are the rights and liabilities are the obligations of
the entity at a given date.
1 For example, Topic 1M of the Staff Accounting Bulletins of the United States Securities and Exchange
Commission provides guidance on assessing materiality.
2 These financial statement assertions are substantially consistent with those established by the American
Institute of Certified Public Accountants and the International Auditing and Assurance Standards Board.
25 For example, management specifies sub-objectives for sales transactions that apply
applicable accounting standards based on the circumstances and that address relevant
financial statement assertions and qualitative characteristics, such as:
Overlapping Objectives
28 Many controls are interrelated and may support multiple objectives. An objective in one
category may overlap or support an objective in another. For example, “closing financial
reporting period within five workdays” may be a goal supporting primarily an operations
objective—to support management in reviewing business performance. But it also sup-
ports timely reporting and timely filings with regulatory agencies.
29 The category in which an objective falls can sometimes vary depending on the circum-
stances. For instance, controls to prevent theft of assets—such as maintaining a fence
around inventory, or having a gatekeeper to verify proper authorization of requests for
movement of goods—fall under the operations category. These controls may not be
relevant to reporting where inventory losses are detected following periodic physical
inspection and recording in the financial statements. However, if for reporting pur-
poses management relies solely on perpetual inventory records, as may be the case for
interim or internal financial reporting, the physical security controls would then also fall
within the reporting category. These physical security controls, along with controls over
the perpetual inventory records, are needed to achieve reporting objectives. A clear
understanding is needed of the entity’s processes and its policies, procedures, and the
Smaller Entities
33 The seventeen principles underlying the five components of internal control are appli-
cable for entities of all sizes. However, smaller entities may apply these principles using
different approaches. For example, all public companies have boards of directors or
other similar governing bodies with oversight responsibilities relating to the entity’s
external financial reporting. A smaller entity may have a less complex business model,
Documentation
35 Two levels of documentation requirements should be considered in relation to financial
statements for external purposes.
3 For the purposes of the Compendium, approaches and examples will reference the terms “material weak-
ness” and “significant deficiency” as defined by the Securities Exchange Commission in the United States.
“Material weakness” means a deficiency, or a combination of deficiencies, in internal control over financial
reporting (as defined in Rule 13a-15(f) or Rule 15d-15(f) of this chapter) such that there is a reasonable
possibility that a material misstatement of the registrant’s annual or interim financial statements will not be
prevented or detected on a timely basis. Rule 1–02 of Regulation S–X. “Significant deficiency” means a
deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe
than a material weakness, yet important enough to merit attention by those responsible for oversight of
the registrant’s financial reporting. Rule 1–02 of Regulation S–X.
control are in place and functioning. The nature and extent of the documentation
may be influenced by the entity’s regulatory requirements. This does not neces-
sarily mean that all documentation will or should be more formal, but that suffi-
cient evidence that the components of internal control are present and operating
together is available and suitable to satisfy the entity’s objectives.
37 For each principle, there is a listing of approaches that illustrate how organizations
apply the principles in designing, implementing or conducting certain aspects of internal
control over external financial reporting. The approaches apply to any size or type of
entity, and, for consistency and illustrative purposes, incorporate the points of focus
contained in the Framework. This structure is intended to assist users in understand-
ing the linkages of the points of focus to its associated principle. Various organizations
apply these approaches differently depending on the entity’s circumstances, and the
application by a particular entity is likely to evolve as circumstances change over time.
The approaches included are not intended to be a comprehensive listing. Users should
recognize that points of focus not listed in the Framework may also be suitable and
relevant in the user’s judgement depending upon the entity’s particular circumstances.
38 For each approach, one or more examples are provided to illustrate how an important
aspect of the approach has been put in place by entities that prepare financial state-
ments for external purposes. The examples are based on experiences of entities, and
some details may have been modified for the purposes of this publication (e.g., entity
and personal names are fictional and not attributable to any specific entity). The exam-
ples are not intended to be construed as “best practices” or suggested solutions for
users of the Framework. Further, the examples are not necessarily sufficient to demon-
strate that a particular principle is present and functioning as defined in the Framework.
39 These approaches and examples are likely to be relevant to many types of entities
(including public, private, not-for-profit, and governmental entities) that aim to prepare
financial statements for external purposes and other forms of external financial report-
ing. Where an example is not applicable to all types of entities, this is noted. Finally,
even though the approaches and examples primarily relate to the preparation of finan-
cial statements for external purposes, any entity seeking to design, implement and
conduct a system of internal control to achieve other external financial reporting objec-
tives may also benefit from them.
2. Control Environment
Chapter Summary
40 The control environment is the set of standards, processes, and struc-
tures that provide the basis for carrying out internal control across the
organization. The board of directors and senior management establish
the tone at the top regarding the importance of internal control includ-
ing expected standards of conduct. Management reinforces expecta-
tions at the various levels of the organization. The control environment
comprises the integrity and ethical values of the organization; the pa-
rameters enabling the board of directors to carry out its oversight re-
sponsibilities; the organizational structure and assignment of authority
Principles Approaches
Principles Approaches
Points of Focus
41 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
•• Sets the Tone at the Top—The board of directors and management at all levels of
the organization demonstrate through their directives, actions, and behaviors the
importance of integrity and ethical values to support the functioning of the system
of internal control.
4 The term “organization” is used to collectively capture the board of directors, management, and other
entity personnel as reflected in the definition of internal control
•• Setting the expectation that personnel raise issues or questions relating to the
application of the defined standards
•• Making explicit the consequences for deviations from standards of conduct at any
level in the organization
•• Ensuring that new and existing employees are trained on the entity’s standards
of conduct and continuing education, and providing appropriate briefings to third
parties engaging in business with the company
•• Providing staff ethics training opportunities to insure that all employees have the
knowledge to identify and deal with dilemmas
44 Furthermore, the company provides a supplier code of conduct to its vendors as part
of its service-level agreements, which provide a basis for evaluation alongside product/
service delivery evaluation.
•• Day-to-day actions and decision making at all levels of the organization that are
•• Interactions with suppliers, customers, and other external parties that reflect fair
and honest dealings
•• Timely inquiries and investigations into any alleged conduct that is inconsistent
with the entity’s standards of conduct
47 While this approach can be synonymous with that of establishing standards of conduct
when both operate effectively, history has shown instances where organizations define
and communicate honorable standards of conduct, yet senior management does not
internalize or exhibit these standards in its conduct, and therefore sets a different tone
than what is expected.
49 Examples of ethical dilemmas are provided, along with suggested resolutions. The
newsletter points out that reports of violations originate from a variety of sources,
50 Finally, the newsletter reminds all Space Inc. employees—from senior management
to all levels of employees—that as part of their annual performance review they must
certify that they have read the company’s mission statement and code of conduct and
that they comply with policies at all times.
•• Considering the results from ongoing and separate evaluations of internal control,
which include evaluations of internal control at outsourced service providers and
business partners who provide information necessary to produce external finan-
cial reporting
•• Analyzing issues and trends from hotlines and help lines made available within
the organization that could indicate potential fraud occurrences and other
ethical concerns
•• Requesting feedback from meetings held with outsourced service providers and
business partners when obtaining financial information or information that impacts
the entity’s internal control over external financial reporting
•• Identifying and communicating with anyone under investigation (or after thorough
investigation in instances of alleged fraud), and following up on any corrective
actions taken to remedy the matter in a consistent and timely basis and according
to prescribed company guidelines
•• Depending on the nature and pervasiveness of the deviation that has occurred,
establishing remediation activities as needed to make retrospective correc-
tions and forward-looking improvements (Remediation may address account-
ing corrections needed, process control enhancements, systems development
or enhancements, accountability reinforcement, training, and other actions.
The board reviews and approves the adequacy of remediation measures and
progress reports.)
57 Best Fit’s policy clearly states that if such an illegal act or impropriety is confirmed,
the company will terminate the employee, revoke all access privileges, and file formal
charges with appropriate authorities. The policy also requires the human resources
manager to document the situation and its resolution, analyze the root cause of the
breach, and implement any additional remedial steps to avoid similar occurrences in the
future. Progress reports are regularly provided to the audit committee.
58 During one instance, facilitation payments were made to obtain certain contracts, the
policy was immediately applied, an investigation was launched; the audit committee
was notified and regularly presented with progress updates and the proposed correc-
tive actions for approval.
Points of Focus
59 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning.
62 The responsibilities of the board and audit committee are to oversee management’s
performance of internal control. The board must therefore retain objectivity in relation
to management.
•• Understand the key risks facing the organization and the processes management
uses to identify, assess, and manage risks, considering internal audit findings,
litigation, compensation schemes, regulation, and compliance
•• Understand how management and the external auditor evaluate materiality for
financial reporting purposes
5 In practice, many of the activities of the board of directors included here would be carried out by one of its
committees, such as the audit committee.
•• Confirm or reject the basis for management estimates and proposed accounting
policy changes before approving
64 The results of the evaluation are used to determine whether the roles and responsibili-
ties of the committee have been met and could result in committee member changes or
impact remuneration. In addition to the annual review, every three years the company
conducts a benchmark review against leading practices and refines its charter,
as appropriate.
•• Criteria and procedures for calling special and/or urgent meetings as necessary
•• Allocation of time in board meetings for discussions with external advisors, inter-
nal and external auditors, and legal counsel without management being present
66 The policies and practices are updated as needed to reflect changes in internal and
external expectations, including rules and regulations.
which each responsibility set forth in the charter is discussed. This practice helps the
audit committee cover all relevant responsibilities, and helps management anticipate
and plan for the committee’s expectations. The meeting calendar, which is shown
below, is periodically reassessed to adjust for emerging regulatory and technical
matters that could affect the company or the industry.
Frequency Planned Meeting
Quarter
A E AN
1 2 3 4
Audit Committee Issues
Financial Management
69 Before each committee meeting, she circulates the draft agenda both to the commit-
tee members and the external auditors to solicit their input on any additional technical
accounting agenda items they would like to discuss. Ms. White is committed to keeping
open channels of communication with the external audit engagement partner and the
company’s chief audit executive to ensure she receives timely updates on any discus-
sions occurring with management as technical matters emerge. Internal audit, litigation,
and corporate social responsibility are a few of the areas that are regularly solicited for
input by the board or audit committee.
72 The board reviews the results of due diligence performed on potential board candi-
dates and confirms their competence and ability to remain unbiased. The procedures to
ensure that potential board members meet the defined criteria may include:
•• Evaluating the key risks facing the organization and accordingly defining board
member profile requirements
•• Considering skills and expertise, ranging from financial to regulatory and various
technical knowledge needed to understand the issues that could affect the com-
pany’s external financial reporting
6 Standard setters, regulators, or listing agencies may have specific requirements regarding director inde-
pendence, qualifications, and the makeup of the audit committee.
•• Reviewing information about financial and other relationships with the company,
its external auditors, or management
•• Evaluating periodically the due diligence procedures used for identifying potential
directors, including checking that an individual director’s certifications are com-
plete, up-to-date, and comply with the entity’s ethics guidelines and indepen-
dence rules
76 The same team conducts an annual review to ensure that board members continue
to have the requisite competence and independence given the entity’s stakeholder
needs. The senior management of Greene Inc. provides the results of the review in its
public filings.
•• Evaluating other risks facing the organization, with the potential impact on finan-
cial reporting
79 This practice is carried out for all assumptions related to key financial statement
accounts, disclosures, and relevant assertions. For example, for Future Fabrication’s
annual goodwill evaluation, management provides relevant information regarding any
specialists engaged to assist the company, key judgments and assumptions included
in the company’s discounted cash flow model, plausible sensitivity scenarios that were
considered, and confirmation of the appropriate technical accounting standard applied.
82 The audit committee also regularly meets with the Seaworthy’s chief audit executive
to ensure that the same oversight objectives of the internal audit function are attained.
The chief audit executive has a direct reporting line to the audit committee to enable an
objective mindset and facilitate the escalation of issues.
Points of Focus
85 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
87 Each unit or department within the entity that is relevant to external financial report-
ing aligns its roles and responsibilities to processes supporting the financial reporting
89 The clarity of roles helps to ensure responsibilities are carried out in support of the
organization’s objectives. They also provide the basis for risk assessment, control
activities, information and communication, and monitoring activities along different
dimensions simultaneously.
When applicable, the responsibilities of externally sourced support personnel are out-
lined through service-level agreements, specifically targeting timeliness and the quality
of financial reports generated.
96 SureSafe identified a small reputable company, J.K. Green and Associates, as one
that would meet their processing, reporting and internal control needs. The service-
level agreement signed by both parties specifies each party’s expectations and
responsibilities for the services provided and internal control over the outsourced
business processes.
Points of Focus
99 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
102 The finance department regularly reviews the entity’s accounting and reporting
policies and practices, and updates these as necessary to keep pace with inter-
nal expectations and external factors, including changes in technical standards and
regulatory requirements.
103 The human resources department also periodically updates materials outlining the
105 As part of annual goal-setting discussions, Ms. Sandhu and her department assess the
extent to which employees are aware of their job responsibilities and current policies
and practices. They use the results to track progress and enhance existing communica-
tions and training programs.
•• Conducting exit interviews to uncover any concerns related to the entity’s internal
control over external financial reporting
110 Credit Safe periodically evaluates every employee’s performance and tracks it against
established objectives. Management provides feedback and guidance to help employ-
ees achieve the objectives. At the end of each year, an employee’s performance is rated
as one of several categories: superior, exceeds expectations, meets expectations,
needs improvement, or unsatisfactory.
113 This intensive training has provided senior management of Orex with the confidence
that their CFO and controller now have sufficient knowledge to make informed decisions
on the proper application of the standard. Documentation of the training attended has
been tracked and included in Ms. Shreve’s and Mr. Tellemann’s employee files.
116 For successful selection and use of the vendor’s services, management was careful to
verify that the vendor met the suitability standards set forth in Compu Services’ poli-
cies. Being impacted directly by the quality of the control procedures carried out by the
vendor, the CFO spends time with the vendor to understand any assumptions used in
models or calculations, particularly as they may impact financial reporting. Indeed, while
Compu Services’ management chooses to outsource certain tax activities, it remains
responsible for the effectiveness of relevant controls regardless of where they are oper-
ated. The company therefore requests annual independent certifications of the vendor’s
internal control effectiveness.
•• Ensuring individual and team goals in support of the achievement of the enti-
ty’s objectives are defined, use observable metrics, and are communicated to
each employee
118 Using the same criteria, the board of directors evaluates the competencies of individu-
als serving in key financial reporting roles, such as the CEO and CFO.
125 Consequently, the CEO, CFO, and vice-president of human resources together annu-
ally review employee job descriptions and performance assessments. During a recent
review, they determined that the company’s controller, hired initially to perform basic
accounting and bookkeeping functions, no longer had the expertise needed for the
associated financial reporting responsibilities. The company has now assigned the con-
troller to a position better suited to his skills, and hired an individual with the requisite
competencies as controller.
128 North-to-South has assessed current personnel to determine potential candidates for
129 For outsourced service providers or business partners critical to the performance of
external financial reporting (such as information technology, payroll, accounts payable
processing), North-to-South has defined contingency plans to allow for alternative
arrangements in the event that such external parties become unavailable. The manage-
ment member responsible for the relationship is also responsible for maintaining and
executing the contingency plan, as necessary.
130 The talent management strategy has allowed North-to-South to confidently plan for
the future.
Enforces Accountability
Principle 5. The organization holds individuals
accountable for their internal control responsibilities in the
pursuit of objectives.
Points of Focus
131 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
136 More specifically, goals are defined, performance is evaluated, and employees are held
accountable within the local organizational structure. For instance, a sales manager in
South Africa is accountable to the company as a whole for its core values and defin-
ing brand, yet performance, mentoring, rewards, and sanctions are managed within the
business line at the local level where the employee is based.
138 Senior management subsequently reports to the board what factors were considered
in developing the performance measures, incentives, and rewards and how they are
expected to drive the desired behavior.
140 The credit does not preclude the internal audit department from reporting specific defi-
ciencies to management or the board when warranted, but it does positively affect the
grading system, which can affect departmental compensation and benefits. The result
is that Modern Financial Services is more likely to identify control deficiencies before
•• Monitoring the changing sources of threats that cause pressure to bypass estab-
lished controls or take shortcuts
•• Considering whether the selection of accounting policies has been unduly influ-
enced by the established performance measures
142 The board of director’s oversees the periodic assessment to ensure it has been com-
pleted, and may subsequently approve compensation plans. The board also provides
oversight to ensure that the performance measures and compensation plans estab-
lished for senior management are appropriately aligned with the entity’s strategic objec-
tives and balanced to promote the desired accountability without causing excessive
pressure that could lead to fraudulent financial reporting.
144 The compensation committee routinely reviews the performance goals and awards for
ongoing relevance and to determine whether they create unnecessary pressures or
unintended consequences. It continually focuses on identifying those short-term sales
objectives that may cause management to take undue risk, cut corners, or commit fraud
that could harm the company’s sustainable growth objectives.
145 Based on these reviews, goals and awards are modified as necessary, and changes are
approved by the board of directors annually. The performance goals and awards consist
of the following and are subject to audit:
•• Audit scores
•• Efficiency ratio
146 In addition, individual employee performance goals are determined annually in discus-
sion between the employee and the manager. They are then submitted to the human
resources department for review, and to the compensation committee for approval.
147 Any incentive compensation that is approved and ratified by the board is distributed to
individuals annually.
150 During the employee performance review and appraisal process, management provides
feedback about the extent to which each employee has performed in accordance with
the company’s core values of sound integrity and ethics.
3. Risk Assessment
Chapter Summary
152 Every entity faces a variety of risks from both external and internal sourc-
es. Risk is defined as the possibility that an event will occur and ad-
versely affect the achievement of objectives. Risk assessment involves a
dynamic and iterative process for identifying and assessing risks to the
achievement of objectives. Risks to the achievement of these objectives
from across the entity are considered relative to established risk toler-
ances. Thus, risk assessment forms the basis for determining how risks
will be managed. A precondition to risk assessment is the establishment
of objectives, linked at different levels of the entity. Management speci-
Principles Approaches
•• Assessing Materiality
Points of Focus
153 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
•• Existence
•• Completeness
•• Valuation or allocation
156 A-Middle’s management considers the level of materiality when reviewing the compa-
ny’s activities and interim reports and determining whether all significant risks and
accounts have
Top-Down Riskbeen captured. This information is used as a guideline in focusing on
Assessment
detailed risks within each financial statement line item and disclosure. This approach is
illustrated below.
10-K
Financial
Statements
Investor
Environment
Relations
159 Management subsequently specified the suitable financial reporting objectives and sub-
objectives for all significant accounts and activities of H2O To Go’s worldwide business,
including sales, purchasing, and treasury. These objectives and sub-objectives include
accounting policies, financial statement assertions, and qualitative characteristics relat-
ing to its accounts and activities. For instance, management has specified objectives
relating to:
•• Sales existence and completeness financial statement assertions for all sales
transactions recorded during the period7
•• Treasury valuation and allocation financial statement assertions for all investments
held and recorded as of period end.
160 Annually, finance management reviews these objectives and sub-objectives for ongoing
relevance and suitability with respect to the company’s accounts and activities. Where
changes are expected to occur—for instance, the adoption of a newly published
accounting standard or guidance or new commercial event or trend—appropriate man-
162 Within the sales process, management accepts from one frequent customer, Hall
Electronics, deposits relating to the purchase of several home theatre systems. Valley
Services sets aside the theatre systems in its inventory until Hall Electonics requests
delivery, usually within thirty days. Valley Service must either refund to Hall Electonics
the cash or provide a relacement home theatre system if a system is damaged or lost
prior to delivery.
163 Management had previously established a policy whereby revenue was recognized
upon payment for goods, regardless of whether the goods were delivered. In assessing
the suitabliy of the objectives specified for financial reporting, the controller, Alex Rob-
ertson, determined that this policy may not be in accordance with IFRS. Consequently,
he requested senior managment to review this policy in conjuntion with the objective-
setting process. In addtion, he also advised the internal audit group, which then moni-
tored the resolution of this matter.
7 For purposes of this example, not all relevant financial statement assertions have been included.
166 Looking at this new source of potential revenue relative to the income statement, Bot-
tomer Holdings considered the effect on its total revenues and net income and has now
concluded that the laundry revenue is expected to generate $150,000 to $200,000 of
revenue per year.
167 Management has considered the overall materiality of this account using the quantita-
tive measure of $500,000. Management also considered other qualtitative factors and
determined that this new source of income would:
•• Not change a loss into income—the company has been profitable over the past
five years.
•• Not impact compliance with loan covenants and other contractual agreements—
none of the mortgages on the buildings would require changes in loan repayment
rates based on higher income levels.
168 Based on the assessment, management has concluded that the new source of
income is not material to the overall financial statement presentation. Accordingly,
in specifying its external reporting objectives, management has incorporated this
new source of revenue into its overall revenue objectives as determined by Gener-
ally Accepted Accounting Principles but has not set out new, unique objectives for
laundry-related revenue.
•• Situations where multiple acceptable alternatives are available and the rationale
for selecting one policy over another
171 Management discusses significant accounting policies with the audit committee on an
annual basis.
•• Where differences are required, the various alternatives that are available and the
rationale for selecting one policy over another
•• Where differences are required, identifying the policies selected by other compa-
nies within an identified peer group
174 Once he has completed his review, Mr. DeQuincy communicates the differences and the
rationale for selection to the corporate controller.
•• To analyze its various business units for new and discontinued product develop-
ments and changes in the company’s markets, ensuring that they are conveyed
appropriately in the financial statements
177 In addition, the audit committee discusses with management how any significant activi-
ties that it is aware of will be included in the financial statements.
Points of Focus
178 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
181 For example, the risk of material misstatement related to the accuracy and valid-
ity of revenue recognition was rated as 5 (high). Factors contributing to the risk
rating included:
• Estimates Significance of Risks Identified •• Impact on Financial Statement Accounts—The potential impact on financial
Determines How to Respond to Risks reporting objectives is measured quantitatively. Each account is assessed in rela-
tion to its respective category, such as total assets or revenues. Management also
qualitatively assesses the potential for certain accounts to be understated. Based
on the quantitative and qualitative characteristics, accounts are categorized as
high, medium, and low, based on their impact on the financial statements. Where
risks vary by sub-account, management considers risk at that level.
8 As noted in Principle 8, identifying and analyzing fraud risks are integral parts of the risk
assessment process.
Financial Statement As % of Impact Account Business Fraud Entity- Overall Significant Assertions6
Account/ Disclosure Total on F/S Charac Process Risk wide Rating
teristics Charac Factors
E C V/A R&O P&D
teristics
BALANCE SHEET
Draftfor
forDiscussion
Discussion
Assets
Draft
Cash & Cash 6% M H M H M H P P P P
Equivalents
Prepaid Expenses 4% L M L L L L P
Inventory 35% H M M M L M P P P P P
9 Existence, Completeness, Valuation or Allocation, Rights and Obligations, and Presentation and Disclosure
Financial Statement As % of Impact Account Business Fraud Entity- Overall Significant Assertions6
Account/ Disclosure Total on F/S Charac Process Risk wide Rating
teristics Charac Factors
E C V/A R&O P&D
teristics
Liabilities
Warranty 15% H M M M L M P P P P P
Shareholders’
Equity
Common Stock 5% M M M L L L P P P P
Income Statement
Revenues
Operating
Expenses
G&A Expense 3% L M L L L L P P P
Depreciation & 2% L M M L L L P P P
Amortization
Financial Statement As % of Impact Account Business Fraud Entity- Overall Significant Assertions7
Account/ Disclosure Total on F/S Charac Process Risk wide Rating
teristics Charac Factors
E C V/A R&O P&D
teristics
Other Income/
Expense
Interest Income/ 5% L L M L L M P P P
(Expense)
186 The information technology managers of Sure Health Care meet with finance personnel
every month to discuss process, changes, and projects in each functional area relat-
ing to financial reporting. The meetings are used to update team members and discuss
issues or changes to the processes. Additionally, management meets with outside legal
counsel every quarter to discuss the effects of any external regulatory changes that may
impact financial reporting.
•• Relevant IT staff, along with business process owners, map the related applica-
tions to the operating systems, databases, and supporting IT processes, and
consider inherent risks and what improvements are needed.
financial reporting objectives. Based on the outcomes of the analysis, management Analyzes Internal and External Factors
determines how to manage the risks to a tolerable level. Involves Appropriate Levels of Management
• Estimates Significance of Risks Identified
Example: Identifying and Responding to Risk • Determines How to Respond to Risks
191 A social service organization with significant amounts of federal funding and operations
in several foreign countries prepares an annual risk assessment of its financial reporting
processes in each country. Risk factors considered include the following:
•• Nature of transactions
192 The risk assessment is prepared by the CFO, Gerald Timewell, and the COO, Inga
Karran, with input from many others within the organization. The resulting assessment,
for financial reporting purposes, considers the above risk factors in determining the sig-
nificance of risks of material misstatement related to the financial reporting assertions.
For instance, management increased the assessed risk relating to existence of federal
funding revenue from moderate to high after considering that there is:
193 Based on this risk assessment, Mr. Timewell and Ms. Karran develop preliminary
positions on the risk response. These determinations are key inputs into determining
required control activities.
195 The company is currently examining ways to enhance its risk response decisions to
reduce the significance of the risk by altering either likelihood or impact. Given the com-
pany’s current level of losses (1.6%), accepting the risk would not be acceptable, and
management elects to implement control activities that reduce the likelihood of losses
(operations objectives) and implements controls to detect losses sooner (to support its
financial reporting objectives).
196 Best Bits management also notes the level of losses other companies incur due to
shrinkage. The figure below shows the shrinkage for several other similar companies
within a benchmark group. Best Bits’ losses are noted underneath for comparison.
3.5
3.0
2.0
0.5
Best Bits Average Low Median High
0.0
Shrinkage 1.60% 0.33% 1.30% 3.50%
197 Using the data provided in this analysis, management believes that a loss rate target of
1.3% is suitable for the company (e.g., top of quartile 2) and additional control activities
are developed within the receiving and shipping process (as part of the Control Activi-
ties component). Further, management accelerated the frequency of physical inventory
counts to quarterly to improve the timeliness of financial reporting.
199 Management considers internal factors that may impact the entity’s ability to achieve its
financial reporting objectives, such as:
200 Where these factors are noted, management also considers—in conjunction with the
Information and Communication principles—whether some form of internal and/or exter-
nal communications are needed.
202 Based on the insights gathered from those discussions, Mr. Burtnyk provides feed-
back to the various department leaders of World Find. In turn, the department heads
use this information to identify additional information requirements and potential
technology changes.
203 In one instance, World Find determined that the accounting requirements for a new
value-added tax in one jurisdiction could impact operations in that jurisdiction as well
as two other jurisdictions that interact with it. Based on this assessment, manage-
ment commenced a project to further refine the assessment of the risks related to the
accounting of the new commodity tax, which then served as a basis for how to respond
to those specific risks.
207 Ms. Campbell has noted instances in the past year where shipping documentation was
not provided to the finance department in a timely manner, sometimes as late as two
weeks after the shipment was completed. These delays have result in an understate-
ment of revenue. Ms. Campbell has determined that the risk related to revenue com-
pleteness needs to be further reduced, and so she has decided to implement a bar-
code scanner shipping system to track and capture shipments and revenue.
Points of Focus
208 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
•• Fraud schemes and scenarios that are common to the industry sectors and
markets in which the entity operates
•• Nature of automation
•• Last-minute transactions
•• Historical fraud activities, including theft of inventory and the processes in place
to identify and record such theft
•• The methodology used for recording and calculating inventory and shrinkage
•• Whistle-blower reports
212 With this information, Mr. Kates forms a preliminary view of the potential fraud activities,
213 After completing his fraud risk assessment, Mr. Kates submits a report to the audit
committee for its consideration in management oversight.
216 In addition, the audit committee asks the chief audit executive about:
•• What fraud risks are being monitored by the internal audit team on a periodic or
regular basis
•• Whether anything has occurred that would lead internal audit to change its
assessment of the risk of management override of internal controls
217 With this information in hand, the audit committee discusses with the full board and
senior management any concerns that need added management focus.
220 The local internal audit representatives for Maxwell’s report any identified fraud risks
and internal audit’s planned approach to the chief audit executive, who reviews and
communicates such findings to the company’s audit committee.
223 Whenever a report is made, the external vendor that manages the hotline initiates an
investigation conducted by a three-person team, which includes Swift Co.’s chief audit
executive, Arthur Suzuki. Using a centralized case management system, Mr. Suzuki is
able to generate quarterly reports that he provides to senior management and the audit
committee. As part of its oversight role, the audit committee meets privately with the
chief audit executive and reviews the provided reports.
226 After these discussions for Schmidt Auto’s last fiscal year, the board determined that
the CFO’s incentive compensation, 80% of which was based on the current year’s net
revenue, was too high and focused too much on the short term. The compensation
committee subsequently reduced the incentive compensation, with 40% derived from
current year’s net revenue.
Points of Focus
227 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
may include reviewing the following: Assesses Changes to the Business Model
Assesses Changes in Leadership
•• Websites and social media
•• Search engines
•• Conferences
•• Professional organizations
230 During this process, the accounting and finance departments of Clear Blue Auto
determined how plant shutdowns would affect the financial statements. This included
potential penalties contained within various sales contracts, possible obsolescence of
parts required for a particular model year being phased out and greater impacts from
extended delays in supply of parts. They also evaluated what insurance coverage was
231 The potential impact of this hurricane was updated and communicated to the compa-
ny’s board of directors later that day.
234 Over the next 100 days, Mr. McPherson will be holding individual meetings with each
functional team to discuss their current objectives, how those objectives might be
changed, and how those changes would impact the assessment of risks to reliable
financial reporting. He expects that some at Garner’s Heating will be surprised with his
proposed changes to policies, which have been largely unchanged for several years.
This includes the company’s CFO, Ruth Koziak, who is responsible for analyzing the
change in strategy and the implications to financial reporting.
235 At the end of the 100 days, Mr. McPherson intends to reconvene the larger group to
discuss how the company should change, and the incremental risks (including financial
reporting) that may come with the change. It will then be up to Ms. Koziak and the chief
audit executive to consider the implications of the company’s new vision and the effects
it will have on the external financial reporting objectives.
•• Different laws and regulations, including those that would affect the company’s
237 Each of these factors presents incremental risks to financial reporting and processes
that need to be managed. Therefore, Consecutive’s corporate controller is performing
a risk assessment with the finance teams in the international locations to ensure these
new risks are identified and to help management determine how best to respond.
•• New markets that will be encountered by the combined company (including differ-
ing financial reporting standards)
•• The ability to achieve the anticipated synergies from the acquisition and whether
these synergies will create incremental risks to financial reporting
239 A project team has been formed for the transition to ensure that all risks are appropri-
ately identified across all business units and functional areas. Any identified risks are
passed on for assessment to senior management, including the company’s chief oper-
ating officer and chief financial officer.
242 If the transition for a particular position is expected to occur within the next two years,
representatives of the audit committee interview the candidates to ensure that their
views on internal control are consistent with those expected by the audit committee.
243 The board considers that feedback attained when making any decisions within the
246 The successful candidate, Jenny Acosta, has a strong background and focus on cost
management and streamlining operations. However she agrees with the audit commit-
tee that this streamlining could result in fewer processes and controls, especially those
viewed to be labor intensive, and that such changes could erode the quality of reporting
and increase certain financial reporting risks.
247 With this in mind, the audit committee has begun to request quarterly updates of
controls that have been removed by management and the potential impact on financial
reporting. In addition, this information is incorporated by the internal audit group into its
internal audit planning process.
4. Control Activities
Chapter Summary
248 Control activities are the actions established through policies and pro-
cedures that help ensure that management’s directives to mitigate risks
to the achievement of objectives are carried out. Control activities are
performed at all levels of the entity, at various stages within business
processes, and over the technology environment. They may be preven-
tive or detective in nature and may encompass a range of manual and
automated activities such as authorizations and approvals, verifications,
reconciliations, and business performance reviews. Segregation of du-
ties is typically built into the selection and development of control activi-
11. The organization selects and develops general control activities over
technology to support the achievement of objectives.
Principles Approaches
11. The organization selects and devel- •• Using Risk and Control Matrices to
ops general control activities over Document Technology Dependencies
Points of Focus
249 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning.
251 The selection and development of control activities is achieved through various
methods, and may include the following:
252 Management considers the segregation of duties and a mix of transaction control activi-
ties and business process reviews. Management considers using automated controls
whenever the systems in place make it possible. These are supplemented by manual
control activities where automated controls are not available.
254 After these workshops, Prescott International is able to select and develop poli-
cies and procedures appropriate to its business. The controller reviews the matrix
of control activities and risks in order to identify any potential risks not previously
noted, recommend additional control activities if necessary, and remove unnecessary
control activities.
•• Identified risks
•• Risk responses
•• Control activities
256 Matters such as general ledger maintenance, accruals, management estimates and
reserves, period-end close and consolidation procedures, financial statement prepara-
tion, and regulatory filings and disclosures are all considered when building the matrix.
The risks, risk responses, and controls are described in sufficient detail in the matrix to
allow Go Rite’s management and others to evaluate whether, if implemented and
operating as intended, these actions can sufficiently mitigate the financial reporting
risks. As part of this evaluation, management reviews the type of control activity (e.g.,
Top-Down Risk Assessment
preventive versus detective, manual versus automated) to determine if the mix is
appropriate. The following illustration is an excerpt of one of Go Rite’s risk and control
Ordering Invoicing
Accounting Dept.
Purchase Order Approved Goods Receipt
Vendor Price Vendor Price 3-Way Match
Purchase Order Notice (GRN)
Master Master Master Master 1.2.2
Accounting Dept.
General
Record Invoice Ledger
1.2.3
Control Financial F/S Control Frequency Control Description Manual/ Preventive/ Infor-
Risk(s) Asser- Level of Control Automated/ Detective mation
tions IT Depen- Processing
(note 1) dent Manual Objective
(note 2)
A Orders V Transaction Multiple During the PO creation the system Automated Preventive A, V
are not Level times per performs edit checks (autopopulated
accurate day fields, format checks and use of drop
down lists) of the relevant data fields
and auto-populates vendor and item
details using the vendor and item
master file respectively. The system
populates price in the purchase order
from the approved master file based on
the product entered.
B Orders E/O Transaction Multiple The system blocks purchase orders not Automated Preventive A,V
are not Level times per using an approved vendor and items
valid day from the related master file.
C Order V Transaction Multiple Purchase order price outside those Manual Preventive A,V
Note 1: E/O = Existence / Occurance; C = Completeness; V = Valuation / Allocation; R&O = Rights and Obligations
Note 2: C = Completeness; A = Accuracy; V = Validity
258 Following Indigo’s recent acquisition of a foreign entity in China, another brewery, the
management used the standard risk and control inventory to develop and select the
necessary control activities. It customized this list to suit the newly merged company,
giving the functional leaders responsibility for risks and control activities in their
specific areas.
•• The risk of material misstatement associated with the assertions affected by the
processes of the service organization, including whether the activities involve
assets that are susceptible to loss or misappropriation
•• The nature and complexity of the services provided by the service organization
and whether they are highly standardized and used extensively by many organiza-
tions or unique and used only by a few
•• The extent to which the entity’s processes and control activities interact with
those of the service organization
•• The entity’s control activities that are applied to the transactions affected by the
service organization’s activities
•• The terms of the contract between the entity and the service organization, and the
degree to which authority is delegated to the service organization
260 If management determines that the service organization’s processes are significant to
internal control over external financial reporting, then it:
•• Identifies the specific control activities performed by the service organization that
are relevant to financial statement assertions, and/or
•• Selects and develops control activities internally over the activities performed by
the service organization.
262 If an appropriate report does not exist, management can use the entity’s own resources,
such as internal audit, to review the control activities and ensure that any external finan-
cial reporting risks are mitigated by the combination of its own control activities and
those of the service organization.
264 Jennssen Inc. engages a service auditor to audit its control activities over transac-
tion initiation, processing, and recording, and to issue an SSAE 16 (SOC1)10 report on
controls. When Green Grow Now obtains the report, it assesses whether the described
control objectives and control activities performed by Jennssen impact internal control
over external financial reporting related to the existence, completeness, and valuation of
payroll expense.
265 Green Grow Now considers the test results in the report and whether any exceptions
have been identified. It also considers the period covered by the report and concludes
that it needs additional evidence of the operation of control activities for the period
not covered. The management communicates directly with Jennssen to inquire about
any changes to its processes; Jennssen confirms in writing that no changes have
been made.
266 Based on this information, Green Grown Now concludes that no further action is
needed. It also reviews the control activities that it is expected to have in place in its
own organization (as specified by the user control activities in the SSAE 16 report) to
verify they are implemented and operating as intended.
10 An independent auditor’s report on the design and operating effectiveness of controls at a service
organization
268 The management of Funnell Medi-Quip evaluates the nature of the control activities
of Oxford Financial Experts and its own control activities over Oxford. The manage-
ment team determines that the risk of material misstatement associated with the
financial statement assertions affected by the processes of the Oxford is quite high.
Funnell Medi-Quip concludes that additional information is needed to evaluate the
design and operating effectiveness of Oxford’s control activities. The management
team performs tests at Oxford, using the internal audit group to verify that the control
activities are implemented and operating as intended. Funnell also tests its own user
control activities.
•• The type of control (i.e., manual or automated) and the frequency with which
it operates
•• The nature and materiality of misstatements that the control is intended to prevent
or detect
•• The degree to which the control relies on the effectiveness of other controls (e.g.,
general technology controls)
270 Certain financial reporting elements, such as those involving significant account-
ing estimates, related party transactions, or critical accounting policies, will generally
have higher risk for both material misstatement to the financial reporting element
and control failure. In these situations a combination of control activities is usually
selected and developed by management to adequately address the risks of a financial
reporting element.
272 In balancing its control activities within the cash disbursements cycle, EJ’s Corporation
273 These control activities are complemented with the following detective control activities:
276 To begin the analysis, the CFO of each of the company’s five business units reviews
the balance sheet and income statement in detail to identify and explain any variances
from budget and prior year actual results over a predetermined threshold (which varies
by business unit). The threshold, which ranges from 5% to 10% of pre-tax income, has
been developed by senior management to help detect potentially material differences
considering the following factors:
•• The nature of assets and liabilities and transactions executed at the business
277 The analysis is then submitted to Zephyr’s corporate center for review. Senior manage-
ment hold monthly meetings with the representatives from each business unit (usually a
business unit CFO) to understand why there are significant differences that are exceed-
ing predefined thresholds and to determine whether corrective action is necessary.
279 Management’s assessment of customers’ ability and intent to pay outstanding receiv-
ables is subjective and susceptible to error. Accordingly, management selected, imple-
mented, and deployed a mix of control activities to help mitigate this valuation risk,
including the following:
•• The treasurer periodically reviews existing customer’ historical financial and credit
information as provided by Dun & Bradstreet to identify any changes in the cus-
tomers’ ability to pay.
•• Automated preventive controls are embedded within JMC’s ERP system support
generation of sub-ledger reporting, including historical aging, collection, and
write-off of receivables by customer, which provides a level of consistency for the
completeness and accuracy of reporting used in making estimates.
281 Gentry Co. is considering implementing account reconciliation software, which would
help automate the process and allow Jeremy Brewster, who is responsible for the
process, to spend more time on the more subjective and complex areas of account
reconciliation.
282 Gentry has identified the following benefits that would arise out of using an automated
account reconciliation tool:
283 Gentry Co. decides to implement a partial automated process. It uses both qualitative
and quantitative factors to determine which reconciliations will be automated and which
will continue to be manual. The factors considered favorable to automation include
low complexity of transactions, absence of significant judgments and estimates, low
number of manual journal entries and adjustments, low susceptibility of transactions to
fraud, and high-volume, low-dollar value of transactions, combined with low degree of
variation against the expected account balance.
•• An inventory clerk documents and tracks all inventory levels, reducing the risk
of obsolescence.
•• A controller reviews exception reports of all inventory purchases with a price more
than 10% above current average costing.
11 This example is likely to be most relevant for smaller entities or the smaller sub-units of larger entities.
Points of Focus
289 The following points of focus may assist management in determining whether the prin-
ciple is present and functioning.
292 The walkthrough covered each major class of transactions. The internal audit team
asked the relevant personnel of the newspaper chain about all significant aspects of
the process.
296 Smythe & Smythe also classified the spreadsheets as high in complexity because they
included the use of macros and multiple supporting spreadsheets to which cells and
values were interlinked. The spreadsheets were used either as the basis for journal
entries into the general ledger (LIFO reserve) or as financial statement disclosures (fair
value of goodwill, intangible assets, and debt).
297 The company considered the security, maintenance, and update risks of the spread-
sheets and then selected and developed the following control activities:12
•• Calculation Testing—When changes to formulas are made they are tested against
a manual calculation for accuracy. All spreadsheet formulas are checked for accu-
racy at least once a year.
12 Note that not all of these controls activities are technology general controls only. The first and last bullets
could be considered business process level controls; however the entire list is included to illustrate a more
complete consideration of spreadsheets.
299 If an appropriate report does not exist, management uses internal resources (e.g.,
internal audit) to review the controls at the third party, verifying that the combination of
the company’s controls and those at the service organization mitigate risks to external
financial reporting to an acceptable level.
301 To that end, the management of E-Book Frontier assessed the risks associated with the
business processes outsourced to the ERP cloud service provider and determined a
number of control activities and information requirements that needed to be addressed.
•• The scope of the report included certain application controls and technology
general controls that were evaluated for both design and operating effectiveness.
The controls relating to the customized configuration for the organization were not
addressed in the service auditor’s report. Management evaluated the impacted
business process and related financial reporting risks and selected and devel-
oped additional actions and control activities to address these risks.
•• The tests of controls covered a time period that correlated with ten months of
the company’s fiscal year, resulting in a gap of the last two months. Based on
management’s analysis on the relevance and risk of the related controls, E-Book
Frontier determined that corroborative inquiry with the CSP would be adequate for
the gap period. To evaluate the continued operation of the CSP controls, man-
agement interviewed key CSP personnel to assess whether any changes in the
controls or known failures had occurred since the date of the report.
302 Management reviewed the results of the tests of controls and the service auditor’s
opinion on the operating effectiveness of the controls to determine whether each control
objective was achieved. Two exceptions were noted in the report, and management
reviewed the additional information related to these that was provided by the CSP in the
unaudited portion of the report. They concluded that one exception was not relevant to
their organization. For the second exception, additional procedures were needed.
303 The second exception related to evidence of customer approval of program changes;
management evaluated the sufficiency of E-Book Frontier’s controls over approval of
changes requested to be performed by the CSP. In addition, it requested a report of all
changes for the past six months from the CSP and verified that the report of all changes
is complete and accurate. It then compared the list of changes and noted no variances
from its internal records.
304 Based on these additional procedures, management concluded that the exceptions did
not result in a deficiency of their system of internal control.
•• Create a three-tier risk rating of the importance of an application and its data to
the reliability of the financial-reporting process.
•• Develop policies for the settings of key security parameters for every technology
in use at the company for each risk rating level.
•• Assess the importance of each application and its associated infrastructure to the
reliability of financial reporting and assign it a risk rating.
•• Implement procedures to put in place and monitor compliance with the policies
for each application consistent with its associated rating.
309 For applications that process in real time, software is also used to automatically monitor
for errors, such as incomplete or inaccurate record transfers between systems. When
a possible error is detected, the software attempts to resend the record without error.
If the error persists, an email alert is sent to an operator who corrects the error follow-
ing standard documented procedures. Financial management is notified of any errors
in a weekly report. The weekly report is reviewed to determine if any accounting record
adjustments are required due to the system problems. The controller reviews and
approves any changes. (Note this could be considered a process-level control.)
•• Obtain a description of the change, the rationale for it, the impact on the com-
pany’s security environment, and implications for user interfaces.
•• Outline steps for a back-out plan should the upgrade not perform as expected.
•• Develop a plan to test that the edit and validation rules work properly, desired
system functions operate as expected and produce the desired results, undesired
processing results are prevented, and existing technical capabilities, including
control activities critical to external financial reporting, continue to work properly.
•• Obtain approval from financial and operational management and end users of the
test results prior to releasing the upgrade into production.
317 Because Summer Run does not have an automated code promotion utility to control
versions and migrations to the production environment, the IT manager, James Robb,
takes the following steps:
•• Assigns to the developer not working on a particular change the responsibility for
testing the change and migration to production
•• Locks versions following user acceptance testing to prohibit further change prior
to release
318 Mr. Robb also relies on these manual controls to manage the code version
and migration:
•• He creates a manual log listing the version of the code copied to the development
environment, along with date and time, and manually tracks the migration to test
and then to production.
•• He separates the review of all version control procedures prior to moving the
code to production from those performed by the individual responsible for the
IT functions.
320 The organization assigns the level of risk to one of four categories based on several
factors, including the length, level of effort, possible risks to financial processing and
control activities, and complexity of the change. Level 1 changes (the most risky) are
required to go through twenty quality gates, or control points, before implementation,
while Level 4 changes (the least risky) are required to go through only ten gates. All
changes that may affect financial processing and control activities are required to be
reviewed by someone in the finance department before being implemented.
Points of Focus
321 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning.
•• Locations, units, and processes to which the policy and procedure applies • Takes Corrective Action
• Performs Using Competent Personnel
•• Roles and responsibilities for owning, creating, implementing, executing, and
maintaining the policy and procedure • Reassesses Policies and Procedures
•• Review date
revised estimates for each loss contingency, is reported to the corporate control-
ler. Information required for the disclosure of loss contingencies is provided to the
corporate office by location in quarterly financial/legal reporting in a prescribed
template. The template is updated, as necessary, through and including the date
of the related public filing.
324 A record of all accounting policy changes, additions, and retirements is maintained,
which includes revision number and date, effective date, a brief description of the
changes made, and the person who approved the change.
326 The board of directors reviews and approves the annual budget, over and above the
required approval provided by the CEO. Authorization to incur liabilities on behalf of the
trade association is limited if they fall outside of the amounts approved in the budgeting
process for normal operations. The limits are:
•• CEO: Up to $50,000
•• Vice-presidents: Up to $10,000
•• Supervisors: Up to $500
327 Siobhan O’Reily, the association CEO, must review and approve in writing any capital-
ized purchases above $10,000. A purchase order must be prepared for all purchases,
and every disbursement of funds requires the receipt of an invoice.This policy does not
apply to the purchase of association investments, which are authorized by the board of
directors through its corporate investment policy.
328 Ms. O’Reily reviews all purchase orders for more than $10,000 for appropriateness. She
compares the amounts to budget, and if she uncovers a discrepancy, she sends the
purchase order back for investigation and follow-up.
330 The CEO and CFO approved modifications to the company’s revenue recognition
policy and related approval matrix that requires all significant software contracts be
reviewed by the CFO and other finance personnel before software revenue and sales
commissions are recognized. In addition, finance, legal, and sales personnel collabo-
rated in establishing standard contractual terms and conditions that would result in
proper recognition of revenue and commissions, and identifying variances from such
standards that would require review and approval by the CFO and/or other finance
331 In addition, the CFO, sales executives, and legal staff meet annually with sales person-
nel to review the company’s policies, its standard and non-standard contractual terms
and conditions, its historical revenue recognition issues, and any specific commercial
arrangements to avoid. All subsidiary sales and finance personnel attend annual training
that focuses on how to comply with local laws and regulations and with the company’s
revenue recognition policies and procedures.
333 Mr. Whitfield periodically reviews actual costs incurred for a long-term project, ensur-
ing they are accurate, that indirect costs are appropriately allocated, and that change
orders and potential cost overruns do not exceed the authorized funding. If any vari-
ances from the cost baseline appear, he promptly investigates them and excludes incor-
rect or inappropriate changes from the reported cost or resource usage, which is used
as the basis for revenue recognition for the period. He also reviews the estimated costs
for reasonableness, taking into account the actual stage of construction at the end of
the reporting period.
334 At the end of each period, Ms. Navrat reviews the reasonableness of key assumptions
used in Mr. Whitfield’s analysis. As part of her review, Ms. Navrat compares the sum
of actual costs plus those still to be incurred against authorized funding to determine
whether the revenue recognized to date based on the costs incurred and estimated
costs to complete are appropriate, including whether the project will result in a loss at
completion. If so, the loss is recognized immediately.
•• The human resources department maintains a list of open change orders that is
reviewed daily for receipt of the confirmation from the IT department. If a receipt is
not received within twenty-four hours, a human resources representative follows
up with the IT group until the request is processed.
13 Investigation of the root cause of why the overstatement occurred is discussed in Chapter 5,
Monitoring Activities.
339 Budget formulation and execution processes and structures have been redesigned
centrally to identify and distinctly categorize funds for capital projects. These have been
distributed to individual departments by the financial planning and budgeting group.
The standard contract has also been modified to require purchased capital items to be
separately identified for each project (by budgetary funding code) and to not include
items for any other projects.
340 The agency has instituted new policies, mandatory annual training, weekly reviews of
pending contract actions, and monthly reviews of expenditures to ensure program com-
pliance. The efforts have dramatically reduced misclassifications and overcome audit
qualifications for plant, property, and equipment reporting.
14 This approach applies to changes that are not significant enough to go back through the risk
assessment process.
Chapter Summary
344 Information is necessary for the entity to carry out internal control re-
sponsibilities to support the achievement of its objectives. Management
obtains or generates and uses relevant and quality information from both
internal and external sources to support the functioning of other compo-
nents of internal control. Communication is the continual, iterative pro-
cess of providing, sharing, and obtaining necessary information. Inter-
nal communication is the means by which information is disseminated
throughout the organization, flowing up, down, and across the entity. It
enables personnel to receive a clear message from senior management
Principles Approaches
Points of Focus
345 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
each item to one or more members of management that have a role in external financial
reporting. This inventory is then used to assign responsibility to personnel for gathering
the required information.
348 The following diagram illustrates key categories and types of information senior man-
agement may require in support of external financial reporting objectives:
Internal audit
Stock price, Raw reports, Updates
material pricing, on accounting
350 The management organization overseeing NetHealth recognizes that timely, relevant
information is needed to support control activities and keep each physician office in
the network up-to-date on patient activities, insurance arrangements, and billing and
collection activities. Consequently, the COO has hired an advisor to interview members
of the central processing group, receptionists, nurses, doctors, and others who work
in physicians’ offices across the network. From these interviews, the advisor provided
the following:
•• Definition of roles and responsibilities for information gathering to allow the central
processing group to update patient records and process bills accurately and in a
more timely fashion
351 Management is now developing guidelines for gathering information during patient
visits. To reduce the costs of distributing the guidelines to each office in the network,
the IT manager is building a section on the network’s website where the guidelines will
be available and where updates and comments can be posted.
353 The data flow diagram below illustrates part of the company’s purchasing cycle.*
*Author’s Note: The following data flow diagram does not depict a complete account of all the information
needs for the example. It does depict the flow of information at a high level, but keep in mind that additional
detailed specifics would be included in corresponding narratives, or additional flow diagrams or flowcharts
would show a level deeper.
Company
Personnel Vendor
Updates Purchasing
& Accounting
Dept.
1.0 Process 3.0 Update Vendor
Purchase Requisition Master File
Purchase
Requisition
Purchase System
Vendor Management
Maintains Quality Throughout Processing •• Subscriptions to industry publications and regulatory updates
Considers Costs and Benefits •• Participation in industry conferences, trade shows, and other events
•• Subscription to third-party mailing lists and blogs that pertain to the industry
and company
357 Accounting and finance personnel meet regularly with the internal audit department to
review and update internal accounting and control policies and procedures based on
the information gathered. In addition, they meet with the CFO to pass on any new infor-
mation and to discuss the impact on financial reporting and policies and procedures.
Accounting and finance managers update policies and procedures to reflect the impact
of the new information.
359 To reduce time, costs, and errors caused by human intervention, management has
implemented electronic data interchange (EDI) to replace the original process. Relevant
information about key business transactions is now automatically populated into the
company’s ERP system, and automated validation checks are in place to confirm that
information is transmitted completely and accurately. As well, the information gener-
ated through the EDI process is also available to production managers, order manage-
ment, and billing personnel, which allows them to perform control activities to support
proper end-to-end transaction processing, including creating the corresponding
accounting entries.
361 Accounting and finance personnel summarize the information gathered and meet
with the appropriate member of senior management to evaluate the impact on the
financial statements, internal control effectiveness, or changes needed to policies
and procedures.
363 Significant changes in purchase commitments, inventory usage trends, product con-
figuration preferences, and cycle count results have impacted the judgments and esti-
mates made in applying the inventory reserves policies. Consequently, Mr. Fernandez
now obtains and reviews reports from the company’s ERP system to identify unusual or
unexpected trends, changes in balances or volumes of transactions, and other relevant
details. He then meets monthly with department heads of customer service, procure-
ment, inventory management, and logistics (who oversee third-party warehouses) to
collect additional information about customers, products, inventory, and balances.
364 Based on these meetings, Mr. Fernandez reviews inventory reserve policies, documents
key data points that impact prior estimates, and prepares an updated analysis support-
ing inventory reserve requirements. The CFO of Friesens then reviews and approves
the analysis as part of her review of the related journal entries during the month-end
366 Arlene Gomez, the company controller, obtains monthly reports on operational and
compliance metrics from the chief operating officer. In addition, she reviews periodic
internal audit reports on the company’s adherence to policies and procedures related to
environmental compliance. She uses this information to assess reserve requirements or
disclosures associated with damages provisions. Finally, she summarizes relevant infor-
mation and meets with the CFO quarterly to determine whether changes in accounting
estimates and financial statement disclosures are needed.
Management and employees in external financial reporting roles follow procedures • Maintains Quality Throughout Processing
368
for identifying and categorizing information. These procedures require that attributes Considers Costs and Benefits
about each piece of information be recorded before the information is accepted into the
repository. The attributes may include:
•• Information owner
•• Expected users
•• Criticality
•• Frequency
•• Process supported
•• The first phase of the project involved creating an inventory of the existing reports
identifying relevant sources and eliminating non-critical and redundant reports.
•• The second phase involved designing and implementing the functional and
technical capabilities needed to capture and store data used to generate relevant
information
•• The third phase involved training end users on techniques for effective input
and extraction of information and reports from the data warehouse using
reporting tools.
•• The final phase involved designing and implementing operating procedures and
control activities over the data warehouse and reporting tools to ensure the com-
pleteness, accuracy, security, and validity of the data and information input and
reports generated.
371 As a result of the project, International Food Distributors has a well-defined inventory of
reports, improved data, and a more efficient process for capturing and using informa-
tion for external financial reporting.
374 The implementation project team was led by the controller, who was supported by
•• Checking that data input was valid, complete, and accurate to electronic sources
•• Passing data between the related transactions to minimize data entry and improve
data consistency
375 As a result of the implementation, management of Insight Media gained access to more
accurate, complete, and timely information to perform internal controls over the evalu-
ation of accounting entries and disclosures for accounts payable and accrued expense
balances, purchasing commitments, and expected cash balances.
376 The following diagram was created as a result of the above procedures and assisted
management in identifying the relevant information.
Comparison of items
on a list of period-end
recurring entries to
entries recorded
Automated
Matching Automated two
Electronic
Payment
Key Areas Legend:
A Passing data between the related transactions to minimize data entry and
improve consistency.
B Checking that data input was valid, complete, and accurate to electronic
sources.
Identifies Information Requirements 377 Senior management establishes a data governance program to support the company’s
C
aptures Internal and External Sources objectives of ensuring reliability of information used in support of internal controls and
of Data external financial reporting. Senior management formalizes policies, procedures, and
• Processes Relevant Data into Information
responsibilities for data and information management considering the volume, complex-
ity, and demand for rapid capture and dissemination from multiple sources. The data
• Maintains Quality Throughout Processing
governance program includes policies and procedures for:
Considers Costs and Benefits
•• Assigning roles and responsibilities between a central data management group,
business functions, and IT
379 The chief information officer and the credit and collections manager have designed
and implemented continuous transaction monitoring software to support their data and
information quality efforts. This software helps management to verify accounts receiv-
able balances each day and to avoid time-consuming month-end reconciliations by
quickly identifying data anomalies. Targeted data queries allow the software to identify
duplicate entries, unusual transactions, missing data, and incomplete data transfers.
Additionally, continuous monitoring software enables data analysis used to support
control activities to detect potential indicators of fraud.
•• The information system automatically assigning the security, privacy, and storage
and retention requirements based on the data category input
•• Periodic reviews being performed to ensure that data has been properly classified
to improve security and reduce storage costs
383 This process reduces time required to format, organize, and report data. It also enables
the company to tag data through eXtensible Business Reporting Language (XBRL).
XBRL enables Freedom Financial to meet certain external financial reporting require-
ments and to perform comparative analyses to historical, competitor, and projected
financial data.
Communicates Internally
Principle 14. The organization internally communicates
information, including objectives and responsibilities for
internal control, necessary to support the functioning of
other components of internal control.
Points of Focus
384 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
•• Senior finance and executive management visits to plants, sales offices, major
customers, and other locations
387 Mr. Tomlinson uses these mechanisms to reinforce company expectations for adher-
ence to internal control over external financial reporting, laws, and regulations; the
importance of the company’s internal audit function; and actions taken in response to
388 In turn, Ms. Wilcox finds the broadcast emails an effective means of sharing informa-
tion about the company’s business objectives and goals, including a periodic update
on progress toward those goals. She also visits the various corporate sites and meets
with employees and managers to ascertain how well they understand key business and
financial objectives relevant to their sites and to reinforce the messages about inter-
nal control from Mr. Tomlinson. Presentation material and supporting information and
intranet links are provided to the participants to support these communications.
•• Changes to accounting policy and regulatory rules that would impact how
the company processes their financial transactions and produces their
financial reports
391 The internal audit department reviews the information in the repository as part of its
ongoing and separate evaluations. Updates to specific internal controls are commu-
nicated to both the control performer and reviewer through email alerts with links to
the repository.
•• Internal controls
393 The reporting tool also provides a personalized dashboard; workflow process (for
performance or review, as appropriate); reporting capabilities for more detailed status,
issues, and trends; and other information to understand and manage the individual’s
internal control responsibilities.
the method of communication. The charter specifies key guidelines, which may include: • C
ommunicates with The Board
of Directors
•• Frequency and number of board meetings, including committees of the board
Provides Separate Communication Lines
•• Objectives of each board or committee meeting (e.g., strategy reviews, annual • S elects Relevant Method of
budgets, and plan reviews) Communication
396 Fred reviews the annual calendar of audit committee meetings and the general agenda
for each meeting. He develops specific topics for discussion for each meeting relevant
to the company’s external financial reporting requirements and confirms the agenda
details with the CFO and audit committee chair. Based on the detailed agenda, Fred
gathers relevant information to be included in the audit committee meeting materi-
als that are sent to members one week prior to the meeting. From time to time, Fred
requests that members of management attend meetings to present information in
person and allow for active communication. For example, the CIO presents on the com-
pany’s security and privacy programs and new events that may impact risks.
397 Mr. Cummins also meets with the chair of the audit committee on an ad hoc basis to
review the results of recent audits, discuss changes to the internal audit plan, commu-
nicate issues or risks related to significant, time-sensitive transactions, or to update the
audit committee chair on significant issues, such as investigations of potential fraud.
400 At each quarterly meeting, the CFO, CAE, and the external auditor present a summary
of key changes in internal control, results of evaluations, and actions in response to any
deviations identified. Matters of significance are reported in writing. The audit com-
mittee holds separate private sessions with management and the external auditors.
These sessions provide the audit committee and either management or the auditors an
opportunity to share sensitive information and ask probing questions that facilitate each
party’s responsibilities related to internal control.
402 The management team sends the package to the board in advance of the meeting to
allow board members to review and follow up with management in preparation of the
meeting, if necessary.
406 The hotline is administered by a third party. All matters received on the line are catego-
rized, summarized, and reported to a separate compliance department that reports to
internal audit. The director of compliance then reviews and prioritizes all reports.
407 Those matters of significance or heightened sensitivity are reported immediately to the
CFO and the chair of the audit committee. Others are investigated based on their prior-
ity. The CFO and members of the executive management team review the results of all
investigations and recommend what actions should be taken.
408 Information about each reported matter, including evidence gathered, actions taken,
and conclusions reached, is documented in a separate, confidential section of the
hotline system.
411 As an added measure, all staff involved in the financial reporting process is assigned a
mentor with financial reporting and internal control experience. This provides an alterna-
tive to the employee’s line supervisor for discussing and reporting concerns on matters
such as compensation, operations, or internal controls.
414 The representatives on the council review all matters raised to consider how they
impact the various departments of Sea to Sky. Council members take turns recording
the meeting proceedings, which are reviewed by all council members and then shared
with the CFO.
Communicates Externally
Principle 15. The organization communicates with external
parties regarding matters affecting the functioning of
other components of internal control.
Points of Focus
415 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
•• Internal controls over transactions and balances that represent significant pay-
ables, receivables, or commitments to external stakeholders
•• Policies for protecting information received from external parties during normal
•• Policies related to performing background checks and credit checks, or using col-
lection agencies
418 Management of each program summarizes controls over the allocation and distribution
of funds that have been implemented and a statement from management that it has
confirmed that the controls were operating for the quarter. Any changes to or dete-
rioration in the controls, such as changes in ability to segregate duties due to loss of
personnel, are communicated along with management’s actions to mitigate risks. This
summary is provided quarterly to the oversight agency.
until the completed products are delivered to the freight forwarder for shipment.
This means management retains significant risk to inventory that is not within its
physical control.
420 ConFab’s management team has specific policies and procedures for the purchasing,
manufacture, and preparation of shipments to mitigate its economic exposure and that
support its estimates for inventory reserves. Management communicates these policies
to the manufacturers, along with specific contract clauses that require adherence to the
policies and the right to audit by the company.
421 To ensure that policies and procedures are carried out as intended, ConFab has imple-
mented several methods of communicating with the contract manufacturers:
•• A website built specifically for communications between the company and the
contract manufacturers
•• A variety of periodic reports from the contract manufacturers, which are used in
422 ConFab also performs annual reviews of the contract manufacturers’ controls that
support the completeness and accuracy of reports provided throughout the year.
•• Meetings with outside advisors or subject matter specialists with the expertise to
assess complex accounting and disclosures for major transactions or events
425 After these discussions, Ms. Nachbar met with the senior management of Norgaard-
Kellogg responsible for trading activities to discuss the regulator’s findings and her
own evaluation of the issue and recommendations for enhancements. The informa-
tion was shared with the disclosure committee, a group responsible for assessing
the requirements for disclosures in external filings. After approval of the proposed
actions by the disclosure committee, Ms. Nachbar developed an action plan for updat-
ing internal control policies, procedures, and related documentation to address the
compliance requirements.
427 Clint Bell, the assistant treasurer, is responsible for obtaining and analyzing informa-
tion from an outside advisory firm related to the past, present, and future expectations
of currency fluctuations. One of his sources is a subscription service that provides
reporting on currency values, changes in values, and trends over periods of time. It also
provides alerts if currency fluctuations exceed certain thresholds.
428 Mr. Bell sets up the relevant currencies, time periods, and alerts appropriate for Nevio
Group. The treasurer reviews the settings and approves changes, if needed, each
quarter. On a monthly basis, or more frequently based on alerts received, Mr. Bell evalu-
ates the currency rates used for financial accounting associated with significant esti-
mates impacted by currency values.
429 Based on the information gathered and corroborated from various external sources, he
updates his analysis estimates. The analysis is given to the treasurer, director of finan-
cial reporting, and controller to help them ensure that the basis for their estimates and
communications in external reports are current and appropriate.
430 Management surveys customers, vendors, and others on their perception of the integ- Communicates to External Parties
rity and ethical values of company personnel. This survey process is controlled by • Enables Inbound Communications
company personnel independent of the main customer/vendor contacts. These surveys
Communicates with The Board of Directors
not only provide a sounding board for the company’s customers, but also enable man-
agement to gain important information about the commitments made to customers and • Provides Separate Communication Lines
ensure that such commitments are consistent with the understanding of formal arrange- Selects Relevant Method of Communication
ments between parties.
431 Management carries out surveys of external parties in a variety of ways, which
may include:
433 During these discussions with customers, the manager is expected to address a
number of areas relevant to the customer-company relationship that impact external
financial reporting, including:
•• Confirmation of continued use of products or services that may impact the esti-
mated life of assets or term of contracts used for accounting judgments
•• Issues, concerns, or return activity of company products that may indicate that
recorded sales transactions were not valid
•• Feedback on company individuals that the customer interacts with during the
sales, delivery, support, customer service, or billing process
434 The information gathered through these conversations is shared with finance and other
relevant company personnel. Any issues that indicate a potential financial reporting
issue, such as incomplete delivery of products or services, or billing and payment,
issues are further investigated. Where changes in the accounting for transactions are
needed, additional reviews are performed to ensure that the issues are fully resolved.
Also, an evaluation of internal controls for deficiencies is conducted to prevent or detect
437 The internal audit department of Shoreup Nutrients is responsible for maintaining a
process to ensure that all reported matters are collected, documented, evaluated, and
addressed appropriately. On a weekly basis, internal audit monitors the website and
summarizes any new information collected by using a collaboration software tool acces-
sible only to the audit department.
438 The director of internal audit, Naseema Bahair, evaluates each matter and develops an
action plan, which includes:
439 Upon review of complaints received through whistle-blower hotlines, a decision is made
by the CFO or the audit committee chair about the information that will be shared to the
reporting party.
442 Internal control issues or recommendations for improvement that are identified by the
external audit firm are assigned to an employee in the impacted business process
area, and that person develops and presents a recommended response at the monthly
meeting, or more frequently if needed. The management team evaluates each response,
443 Results of the management meeting are communicated to the external audit firm. As
well, a summary of significant issues and observations are presented at the audit com-
mittee meeting at set intervals during the year or as necessary.
6. Monitoring Activities
Chapter Summary
444 Ongoing evaluations, separate evaluations, or some combination of
the two are used to ascertain whether each of the five components of
internal control, including controls to effect the principles within each
component, is present and functioning. Ongoing evaluations, built into
business processes at different levels of the entity, provide timely infor-
mation. Separate evaluations, conducted periodically, will vary in scope
and frequency depending on assessment of risks, effectiveness of on-
going evaluations, and other management considerations. Findings are
evaluated against criteria established by regulators, standard-setting
Points of Focus
445 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
•• Integrates with Business Processes—Ongoing evaluations are built into the busi-
ness processes and adjust to changing conditions.
Uses Knowledgeable Personnel •• The entity’s regulatory requirements and financial reporting objectives
Integrates with Business Processes •• How quickly the entity’s industry and/or regulatory environment is changing or
• Adjusts Scope and Frequency anticipated to change
Objectively Evaluates
•• The results of historical evaluations of control effectiveness
•• Changes that have occurred in the current year that impact other components of
internal control
447 Senior management may also increase the frequency of separate evaluations from the
•• More active oversight of Viliam’s recently enhanced risk management and gover-
nance processes
•• An iterative risk assessment process that performs a risk review annually and
more often if the business changes
•• Reviews of financial and operational data to identify risks and adverse trends, and
to respond to them accordingly by conducting targeted audits
•• Identify necessary changes in design and conduct of internal controls that result Adjusts Scope and Frequency
•• Establish a new baseline that incorporates any changes that impact the
previous baseline
452 Senior management may use the baseline information to establish which ongoing and
separate evaluations are most appropriate.
456 Some metrics have clearly defined allowable tolerances that have been calculated for
current performance data, which may be used to highlight anomalies. Other metrics
have less defined thresholds and are reviewed by knowledgeable employees for reason-
ableness and unusual items.
•• Current head count compared with expected and historical head count for the
month, quarter, and year
•• Current payroll compared with expected and historical payroll for the month,
quarter, and year
•• Current overtime in hours and dollars compared with expected and historical
overtime in hours and dollars for the month, quarter and year.
458 In his review, Mr. Saunders looks for any unusual fluctuations, such as increases and
decreases in the number of employees and excessive overtime. His review is done in
the context of current plant productivity and target thresholds based on historical data
and planned productivity, which varies by season. If Mr. Saunders identifies any fluctua-
tions, he investigates the underlying reasons and adjusts the process or control activi-
ties as needed.
15 Metrics, often operational in nature, may use information that indirectly signals a failure or anomaly, but
there may be other information available more directly linked to changes or failures. The value of metrics
should be considered when an entity evaluates what mix of ongoing and separate evaluations is appropri-
ate for that entity.
460 Mr. Rosco leverages his knowledge of changes in the business when developing
his expectations on how performance is likely to be consistent with, or vary from,
established targets. In the case of accounts payable KPIs, those variances from the
established targets could result from known factors, such as significant new vendors,
changes in payment terms, and cash flow goals. Where results do not meet expecta-
tions, Mr. Rosco evaluates them for potential underlying issues in established control
activities. Additionally he uses the KPIs to identify trends that could indicate some
fraudulent activity (e.g., he sees a concentration of payments to a vendor that is new or
for which he would not expect that volume).
•• Detailed and/or summarized information about control performance • Uses Knowledgeable Personnel
• Integrates with Business Processes
•• Metrics being measured and/or information being highlighted for evaluation and
Adjusts Scope and Frequency
investigative follow-up
Objectively Evaluates
•• Visual depictions of the status of control operation
•• Key personnel and contact details for those responsible for processes and
sub-processes
16 Dashboards, often operational in nature, may use information that indirectly signals a failure or anomaly,
but there may be other information available more directly linked to changes or failures. The value of
metrics should be considered when an entity evaluates what mix of ongoing and separate evaluations is
appropriate for that entity.
464 Management then considers this information when reviewing tooling costs included in
inventory. In the monthly management meetings, these dashboards are reviewed. Each
of the managers responsible for specific tasks discusses recent progress and expected
changes over the coming month. To the extent that an increase in tool usage was noted,
management would expect that costs related to tooling would be up for the period.
17 Note that many automated activities used to prevent or detect unintended events or results would be
considered control activities.
471 The senior management of Jaron recognizes that self-assessment, while not completely
objective, is an effective first line of defense against internal control failure. Internal audit
helps compensate for the lack of objectivity in the control self-assessments by perform-
ing periodic audits and comparing the results to the self-assessments.
•• Areas where separate evaluations have identified control deficiencies that were
not reported through the self-assessments
473 Now Jaron and Associates is better able to focus its separate evaluation efforts on a
prioritized-risk basis and modify ongoing evaluations where necessary.
476 Subsequent to management’s input, it is up to the chief audit executive, Maria Geide, to
determine whether the internal audit department adequately understands the process,
the overall internal control structure, and the objectives of the review.
477 Once the review is complete, Ms. Geide submits a report on the process controls to
senior management and the board covering the scope of the work (including identifi-
cation of the controls evaluated), a description of the major risks and the appropriate-
ness of the controls, a list of identified deficiencies, and management’s response and
proposed remediation.
•• The outsourced service provider’s applicable control objectives Establishes Baseline Understanding
Uses Knowledgeable Personnel
•• Details about which of the outsourced service provider’s internal control have
Integrates with Business Processes
been examined and included in any report
• Adjusts Scope and Frequency
•• The details and results from any independent audit testing performed
• Objectively Evaluates
•• Special considerations for the outsourced service provider that impacts the report
479 To determine what impact any identified changes may have on the entity’s system of
internal control over external financial reporting, the following may also be assessed:
•• Whether exceptions were noted that may trigger further review by senior
management
480 Based on management’s review and findings, it may be necessary to reassess the
separate evaluation activities over the outsourced service provider.
18 The review of controls at the outsourced service provider is covered in Chapter 3, Control Activities.
Points of Focus
482 The following points of focus may assist management in determining whether this prin-
ciple is present and functioning:
19 In many cases the board of directors will appoint a committee to oversee the system of internal control
depending on the objective. For example the board may appoint an audit committee to oversee system of
internal controls for financial reporting.
20 For example, in the United States, the Securities and Exchange Commission issued “Commission Guid-
ance Regarding Management’s Report on Internal Control Over Financial Reporting Under Section 13(a) or
15(d) of the Securities Exchange Act of 1934” section B. 1. covers the Evaluation of Control Deficiencies
that provides management with guidance on the assessment and reporting of deficiencies.
486 For each level of deficiency,21 the company’s internal reporting structure calls for certain
reporting procedures:
•• Deficiencies are reported in detail to the manager responsible for the control.
21 For purposes of this example the deficiency classifications used are those related to external financial
reporting in the US as promulgated by the SEC.
489 Specifically, the plan calls for one individual within the business unit to be assigned
responsibility for remediating specific control deficiencies. A time frame for remediation
is assigned to each control deficiency, based on its ranking. Working together, man-
agement and internal audit verify that deficiencies are remediated within the specified
time frame.
491 When sufficient action has not been able to be taken by the business on important
internal audit issues by the original reported implementation date, the process owner for
the area is invited to attend the audit committee and explain the issues associated with
implementation of appropriate actions.
494 Management has also developed with the audit committee a shared expectation, which
states that regardless of the previous categorization, management will report all defi-
ciencies resulting from:
495 The audit committee is briefed on the cause of the reported deficiencies and provides
oversight of management’s assessment of the deficiencies and the actions and status
of remediation plans.
Appendix
Examples by Topic
Examples of Changes
This appendix demonstrates examples relating to the changes noted in the Foreword.
Maintaining Oversight 67
Draft for Discussion Reviewing and Documenting Key Activities of the Audit Committee 21
Data Capture and Processing for the Purchasing and Payables Cycle 112
Draft for Discussion Using Data Warehouse to Facilitate Access to Information 111
Using Governance, Risk, and Compliance Technology to Manage Internal Controls 118
Other Examples
Addressing Succession Planning 39
Maintaining Data Flow Diagrams, Flowcharts, Narratives, and Procedures Manuals 107
Specifying Objectives 48
Using an Internal Accounting and Finance Conference to Reinforce Policy Changes 117
Respondents will be asked to respond to a series of questions. Those questions may be found on-line at www.ic.coso.org and in
a separate document provided at the time of download. Respondents may upload letters through this site. Please do not send
responses by fax.
Written comments on this exposure draft will become part of the public record and will be available on-line March 31, 2013.